Product & Service Introduction:===============================The Barracuda Control Center is a comprehensive cloud-based service thatenables administrators to monitor and configure multipleBarracuda Networks products from a single console. With the BarracudaControl Center, you can check the health of all connecteddevices, run reports that are generated by gathering data from all thedevices, and assign roles with varied permissions to differenttypes of users. The powerful Web interface of the Barracuda ControlCenter provides for convenient configuration and management ofmultiple Barracuda Networks device settings, while also providing a viewof each device Web interface for individual configurationor reporting. No need to install software or deploy hardware. Keystatistics can be viewed by device type at a glance on the Statuspage of the Web interface with the ability to drill down for more detailinto the individual Web interface for each connected device.

(Copy of the Vendor Homepage:https://www.barracudanetworks.com/ns/downloads/Setup_Guides/Barracuda_Cloud_Control_SG_US.pdf)

Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a cross sitevulnerability in the official Barracuda Networks Cloud Control 7.1.1.003.

The cross site scripting web vulnerability is located in the `email`parameter of the `./new_user/success/` registration module. Remoteattackers withknowledge about an exisiting email are able to attach the exisitingemail with a payload to the thanks page request. Thus allows the remoteattacker totrigger a client-side cross site scripting issue within the thank youpage of the barracuda cloud control registration mechanism. The requestmethod toinject is GET and the attack vector is located on the client-side of theonline service web-application.

The security risk of the cross site scripting web vulnerability isestimated as medium with a cvss (common vulnerability scoring system)count of 3.3.Exploitation of the client-side cross site web vulnerability requires noprivileged web-application user account and low or medium user interaction.Successful exploitation of the vulnerability results in non-persistentphishing, session hijacking, non-persistent external redirect to malicioussources and client-side manipulation of affected or connected web modulecontext.

Request Method(s):[+] GET

Vulnerable Module(s):[+] ./new_user/success/

Vulnerable Parameter(s):[+] email

Proof of Concept (PoC):=======================The cross site scripting vulnerability can be exploited by remoteattackers without privileged web-application user account and with lowuser interaction.For security demonstration or to reproduce the vulnerability follow theprovided information and steps below to continue.

Solution - Fix & Patch:=======================The vulnerability can be patched by a parse of the vulnerable emailparameter in the thank you registration page of barracuda networks ccapplication.Parse in the vulnerable output location the source to prevent theexecution of the client-side injected payloads. Disallow the usage ofspecial charson parameter requests via GET method.

Security Risk:==============The security risk of the client-side cross site scripting webvulnerability in the cloud control web-application is estimated as medium.

Disclaimer & Information:=========================The information provided in this advisory is provided as it is withoutany warranty. Vulnerability Lab disclaims all warranties, eitherexpressed orimplied, including the warranties of merchantability and capability fora particular purpose. Vulnerability-Lab or its suppliers are not liablein anycase of damage, including direct, indirect, incidental, consequentialloss of business profits or special damages, even if Vulnerability Labsor itssuppliers have been advised of the possibility of such damages. Somestates do not allow the exclusion or limitation of liability mainly forincidentalor consequential damages so the foregoing limitation may not apply. Wedo not approve or encourage anybody to break any licenses, policies, defacewebsites, hack into databases or trade with stolen data. We have no needfor criminal activities or membership requests. We do not publishadvisoriesor vulnerabilities of religious-, militant- and racist-hacker/analyst/researcher groups or individuals. We do not publish traderesearcher mails,phone numbers, conversations or anything else to journalists,investigative authorities or private individuals.

Any modified copy or reproduction, including partially usages, of thisfile, resources or information requires authorization from VulnerabilityLaboratory.Permission to electronically redistribute this alert in its unmodifiedform is granted. All other rights, including the use of other media, arereserved byVulnerability Lab Research Team or its suppliers. All pictures, texts,advisories, source code, videos and other information on this website istrademarkof vulnerability-lab team & the specific authors or managers. To record,list, modify, use or edit our material contact ([email protected]) to get an askpermission.